Share via

Don't want to give admin consent to the azure app via GroupMember.Read.All

Nauman Afzal 0 Reputation points
2025-03-11T15:49:35.17+00:00

I have a web app running Symfony. I have already configured single sign on via Azure using oauth library, which is working fine.

Now I need to retrieve the users and groups information from the azure to add this data into my database, like synchronization. The problem is: I don't want to give admin consent to my azure app for GroupMember.Read.All.
What are the options for me? Btw, In my app, I have normal users and admins. I want to implement it like only admins can sync the data but normal users should only logged in via the app.

I was more thinking about making 2 separate apps (one for login and one to retrieve the groups' information from azure)

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rajat Vashistha-MSFT 1,690 Reputation points Microsoft External Staff
    2025-03-11T17:01:10.3466667+00:00

    Hi Nauman Afzal,

    Thanks for reaching out to Microsoft!

    Microsoft Graph requires admin consent for directory-wide read operations. Therefore, I suggest using two separate Azure AD app registrations:

    1. App1: For user login with minimal permissions, avoiding the need for admin consent. This will allow normal users to sign in.
    2. App2: For admin interactions with the "GroupMember.Read.All" permission, requiring admin consent.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.